If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Cracking WEP with no client

I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

cheers
Damien

oh yes.. thats a really nice question,..
hi everybody. name is andre, im new in backtrack.

He is talking about a network that is not broadcasting the ESSID..
So a hidden ssid..

There are a couple of options to try and find out what the essid is ;

1. You do a dictionary attack on the network using mdk3.
2. You do a bruteforce attack on the network using mdk3
(not recommended for any ssid over 4 characters..)
3. You monitor the network and wait for someone to probe it / associate with it.

So at Damien ;

When you are running airodump and checking your network, is it mentioning a length 0 ssid, or length 5 or some other value.

If you can actually see how many characters it is. you can decide on whether to use a bruteforce option. If it is length 0 then you will not know, so would need to try the dictionary approach.

make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0

B- Run aireplay in fake auth mode

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

Insert the AP mac address and the name of you NIC.

If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0

where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)

C- finally run aireplay in arp replay mode

aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0

again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.

Good luck

I've been attempting to do this very thing yet when attempting this [code: airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0] I get "Invalid output format :IV's and PCAP format cannot be used together". What am I doing wrong? Thanks in advance for handing down the knowledge.